How to explain the crappy state of federal IT security? And more importantly what to do about it? Zach Goldfarb's piece in The Washington Post today suggests some answers to both those questions.
Why are federal agencies seeing so many breaches? First, because they are under almost constant attack. Second, because data security has never been given its due under the Bush Administration.
Almost all agencies lack department-wide security programs. Such programs provide "a framework and continuing cycle of activities for managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy of the entity's computer-related control," Gregory Wilshusen, GAO director of information security, told Congress in March.
Bruce Brody, a former VA and Energy chief information-security officer, said agencies cherish decentralization, but "in the case of information technology, it creates fragmentation. It creates inefficiencies."
Paul Kurtz, who worked in the White House on cybersecurity, said that senior agency officials had the attitude that they "had much better things to do with my job" than work on information security.
So how to push the octopus of many decentralized agencies into a state of robust security? It might come down to criminal sanctions, suggested Rep. Tom Davis (R-Va.), chairman of the House Government Reform Committee.
"If you don't accomplish your current mission, you know you're going to get dinged. If you don't accomplish this security thing, there's only an outside chance you'll have a data security breach" that garners attention.
Davis said he worries about a kind of cyber Pearl Harbor, and the Pentagon noted in a statement that potential adversaries, realizing the United States's overbearing military might, "see cyber attacks as an inexpensive means of leveling that battlefield." It added, "These asymmetrical threats are real and the results of insecurity are potentially catastrophic."
Davis and OMB's Johnson said federal overseers need to hold accountable federal officials who fail to take the necessary steps to safeguard systems. Davis suggested that criminal penalties may be necessary.